aws-sdk-paymentcryptography 1.8.0 → 1.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -434,14 +434,14 @@ module Aws::PaymentCryptography
434
434
  # [2]: https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DecryptData.html
435
435
  #
436
436
  # @option params [required, String] :alias_name
437
- # A friendly name that you can use to refer a key. An alias must begin
438
- # with `alias/` followed by a name, for example `alias/ExampleAlias`. It
439
- # can contain only alphanumeric characters, forward slashes (/),
440
- # underscores (\_), and dashes (-).
437
+ # A friendly name that you can use to refer to a key. An alias must
438
+ # begin with `alias/` followed by a name, for example
439
+ # `alias/ExampleAlias`. It can contain only alphanumeric characters,
440
+ # forward slashes (/), underscores (\_), and dashes (-).
441
441
  #
442
- # Don't include confidential or sensitive information in this field.
443
- # This field may be displayed in plaintext in CloudTrail logs and other
444
- # output.
442
+ # Don't include personal, confidential or sensitive information in this
443
+ # field. This field may be displayed in plaintext in CloudTrail logs and
444
+ # other output.
445
445
  #
446
446
  # @option params [String] :key_arn
447
447
  # The `KeyARN` of the key to associate with the alias.
@@ -482,7 +482,7 @@ module Aws::PaymentCryptography
482
482
  # key state.
483
483
  #
484
484
  # When you create a key, you specify both immutable and mutable data
485
- # about the key. The immutable data contains key attributes that defines
485
+ # about the key. The immutable data contains key attributes that define
486
486
  # the scope and cryptographic operations that you can perform using the
487
487
  # key, for example key class (example: `SYMMETRIC_KEY`), key algorithm
488
488
  # (example: `TDES_2KEY`), key usage (example:
@@ -515,8 +515,8 @@ module Aws::PaymentCryptography
515
515
  #
516
516
  # @option params [Boolean] :enabled
517
517
  # Specifies whether to enable the key. If the key is enabled, it is
518
- # activated for use within the service. If the key not enabled, then it
519
- # is created but not activated. The default value is enabled.
518
+ # activated for use within the service. If the key is not enabled, then
519
+ # it is created but not activated. The default value is enabled.
520
520
  #
521
521
  # @option params [required, Boolean] :exportable
522
522
  # Specifies whether the key is exportable from the service.
@@ -528,27 +528,29 @@ module Aws::PaymentCryptography
528
528
  #
529
529
  # @option params [String] :key_check_value_algorithm
530
530
  # The algorithm that Amazon Web Services Payment Cryptography uses to
531
- # calculate the key check value (KCV) for DES and AES keys.
531
+ # calculate the key check value (KCV). It is used to validate the key
532
+ # integrity.
532
533
  #
533
- # For DES key, the KCV is computed by encrypting 8 bytes, each with
534
- # value '00', with the key to be checked and retaining the 3 highest
535
- # order bytes of the encrypted result. For AES key, the KCV is computed
536
- # by encrypting 8 bytes, each with value '01', with the key to be
537
- # checked and retaining the 3 highest order bytes of the encrypted
538
- # result.
534
+ # For TDES keys, the KCV is computed by encrypting 8 bytes, each with
535
+ # value of zero, with the key to be checked and retaining the 3 highest
536
+ # order bytes of the encrypted result. For AES keys, the KCV is computed
537
+ # using a CMAC algorithm where the input data is 16 bytes of zero and
538
+ # retaining the 3 highest order bytes of the encrypted result.
539
539
  #
540
540
  # @option params [Array<Types::Tag>] :tags
541
- # The tags to attach to the key. Each tag consists of a tag key and a
542
- # tag value. Both the tag key and the tag value are required, but the
543
- # tag value can be an empty (null) string. You can't have more than one
544
- # tag on an Amazon Web Services Payment Cryptography key with the same
545
- # tag key.
541
+ # Assigns one or more tags to the Amazon Web Services Payment
542
+ # Cryptography key. Use this parameter to tag a key when it is created.
543
+ # To tag an existing Amazon Web Services Payment Cryptography key, use
544
+ # the TagResource operation.
546
545
  #
547
- # To use this parameter, you must have `TagResource` permission.
546
+ # Each tag consists of a tag key and a tag value. Both the tag key and
547
+ # the tag value are required, but the tag value can be an empty (null)
548
+ # string. You can't have more than one tag on an Amazon Web Services
549
+ # Payment Cryptography key with the same tag key.
548
550
  #
549
- # Don't include confidential or sensitive information in this field.
550
- # This field may be displayed in plaintext in CloudTrail logs and other
551
- # output.
551
+ # Don't include personal, confidential or sensitive information in this
552
+ # field. This field may be displayed in plaintext in CloudTrail logs and
553
+ # other output.
552
554
  #
553
555
  # <note markdown="1"> Tagging or untagging an Amazon Web Services Payment Cryptography key
554
556
  # can allow or deny permission to the key.
@@ -578,7 +580,7 @@ module Aws::PaymentCryptography
578
580
  # verify: false,
579
581
  # wrap: false,
580
582
  # },
581
- # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
583
+ # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
582
584
  # },
583
585
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
584
586
  # tags: [
@@ -608,7 +610,7 @@ module Aws::PaymentCryptography
608
610
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
609
611
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
610
612
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
611
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
613
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
612
614
  # resp.key.key_check_value #=> String
613
615
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
614
616
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -668,7 +670,7 @@ module Aws::PaymentCryptography
668
670
  req.send_request(options)
669
671
  end
670
672
 
671
- # Deletes the key material and all metadata associated with Amazon Web
673
+ # Deletes the key material and metadata associated with Amazon Web
672
674
  # Services Payment Cryptography key.
673
675
  #
674
676
  # Key deletion is irreversible. After a key is deleted, you can't
@@ -679,13 +681,10 @@ module Aws::PaymentCryptography
679
681
  # Services Payment Cryptography has a safety mechanism to prevent
680
682
  # accidental deletion of a key. When you call this operation, Amazon Web
681
683
  # Services Payment Cryptography disables the specified key but doesn't
682
- # delete it until after a waiting period. The default waiting period is
683
- # 7 days. To set a different waiting period, set `DeleteKeyInDays`.
684
- # During the waiting period, the `KeyState` is `DELETE_PENDING`. After
685
- # the key is deleted, the `KeyState` is `DELETE_COMPLETE`.
686
- #
687
- # If you delete key material, you can use ImportKey to reimport the same
688
- # key material into the Amazon Web Services Payment Cryptography key.
684
+ # delete it until after a waiting period set using `DeleteKeyInDays`.
685
+ # The default waiting period is 7 days. During the waiting period, the
686
+ # `KeyState` is `DELETE_PENDING`. After the key is deleted, the
687
+ # `KeyState` is `DELETE_COMPLETE`.
689
688
  #
690
689
  # You should delete a key only when you are sure that you don't need to
691
690
  # use it anymore and no other parties are utilizing this key. If you
@@ -739,7 +738,7 @@ module Aws::PaymentCryptography
739
738
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
740
739
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
741
740
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
742
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
741
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
743
742
  # resp.key.key_check_value #=> String
744
743
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
745
744
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -756,69 +755,146 @@ module Aws::PaymentCryptography
756
755
  req.send_request(options)
757
756
  end
758
757
 
759
- # Exports a key from Amazon Web Services Payment Cryptography using
760
- # either ANSI X9 TR-34 or TR-31 key export standard.
761
- #
762
- # Amazon Web Services Payment Cryptography simplifies main or root key
763
- # exchange process by eliminating the need of a paper-based key exchange
764
- # process. It takes a modern and secure approach based of the ANSI X9
765
- # TR-34 key exchange standard.
766
- #
767
- # You can use `ExportKey` to export main or root keys such as KEK (Key
768
- # Encryption Key), using asymmetric key exchange technique following
769
- # ANSI X9 TR-34 standard. The ANSI X9 TR-34 standard uses asymmetric
770
- # keys to establishes bi-directional trust between the two parties
771
- # exchanging keys. After which you can export working keys using the
772
- # ANSI X9 TR-31 symmetric key exchange standard as mandated by PCI PIN.
773
- # Using this operation, you can share your Amazon Web Services Payment
774
- # Cryptography generated keys with other service partners to perform
775
- # cryptographic operations outside of Amazon Web Services Payment
776
- # Cryptography
777
- #
778
- # **TR-34 key export**
779
- #
780
- # Amazon Web Services Payment Cryptography uses TR-34 asymmetric key
781
- # exchange standard to export main keys such as KEK. In TR-34
782
- # terminology, the sending party of the key is called Key Distribution
783
- # Host (KDH) and the receiving party of the key is called Key Receiving
784
- # Host (KRH). In key export process, KDH is Amazon Web Services Payment
785
- # Cryptography which initiates key export. KRH is the user receiving the
786
- # key. Before you initiate TR-34 key export, you must obtain an export
787
- # token by calling GetParametersForExport. This operation also returns
788
- # the signing key certificate that KDH uses to sign the wrapped key to
789
- # generate a TR-34 wrapped key block. The export token expires after 7
790
- # days.
758
+ # Exports a key from Amazon Web Services Payment Cryptography.
759
+ #
760
+ # Amazon Web Services Payment Cryptography simplifies key exchange by
761
+ # replacing the existing paper-based approach with a modern electronic
762
+ # approach. With `ExportKey` you can export symmetric keys using either
763
+ # symmetric and asymmetric key exchange mechanisms. Using this
764
+ # operation, you can share your Amazon Web Services Payment Cryptography
765
+ # generated keys with other service partners to perform cryptographic
766
+ # operations outside of Amazon Web Services Payment Cryptography
767
+ #
768
+ # For symmetric key exchange, Amazon Web Services Payment Cryptography
769
+ # uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And
770
+ # for asymmetric key exchange, Amazon Web Services Payment Cryptography
771
+ # supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange
772
+ # mechanism. Asymmetric key exchange methods are typically used to
773
+ # establish bi-directional trust between the two parties exhanging keys
774
+ # and are used for initial key exchange such as Key Encryption Key
775
+ # (KEK). After which you can export working keys using symmetric method
776
+ # to perform various cryptographic operations within Amazon Web Services
777
+ # Payment Cryptography.
778
+ #
779
+ # The TR-34 norm is intended for exchanging 3DES keys only and keys are
780
+ # imported in a WrappedKeyBlock format. Key attributes (such as
781
+ # KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained
782
+ # within the key block. With RSA wrap and unwrap, you can exchange both
783
+ # 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram
784
+ # format and you will need to specify the key attributes during import.
785
+ #
786
+ # You can also use `ExportKey` functionality to generate and export an
787
+ # IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment
788
+ # Cryptography using either TR-31 or TR-34 export key exchange. IPEK is
789
+ # generated from BDK (Base Derivation Key) and `ExportDukptInitialKey`
790
+ # attribute KSN (`KeySerialNumber`). The generated IPEK does not persist
791
+ # within Amazon Web Services Payment Cryptography and has to be
792
+ # re-generated each time during export.
793
+ #
794
+ # **To export initial keys (KEK) or IPEK using TR-34**
795
+ #
796
+ # Using this operation, you can export initial key using TR-34
797
+ # asymmetric key exchange. You can only export KEK generated within
798
+ # Amazon Web Services Payment Cryptography. In TR-34 terminology, the
799
+ # sending party of the key is called Key Distribution Host (KDH) and the
800
+ # receiving party of the key is called Key Receiving Device (KRD).
801
+ # During key export process, KDH is Amazon Web Services Payment
802
+ # Cryptography which initiates key export and KRD is the user receiving
803
+ # the key.
804
+ #
805
+ # To initiate TR-34 key export, the KRD must obtain an export token by
806
+ # calling GetParametersForExport. This operation also generates a key
807
+ # pair for the purpose of key export, signs the key and returns back the
808
+ # signing public key certificate (also known as KDH signing certificate)
809
+ # and root certificate chain. The KDH uses the private key to sign the
810
+ # the export payload and the signing public key certificate is provided
811
+ # to KRD to verify the signature. The KRD can import the root
812
+ # certificate into its Hardware Security Module (HSM), as required. The
813
+ # export token and the associated KDH signing certificate expires after
814
+ # 7 days.
815
+ #
816
+ # Next the KRD generates a key pair for the the purpose of encrypting
817
+ # the KDH key and provides the public key cerificate (also known as KRD
818
+ # wrapping certificate) back to KDH. The KRD will also import the root
819
+ # cerificate chain into Amazon Web Services Payment Cryptography by
820
+ # calling ImportKey for `RootCertificatePublicKey`. The KDH, Amazon Web
821
+ # Services Payment Cryptography, will use the KRD wrapping cerificate to
822
+ # encrypt (wrap) the key under export and signs it with signing private
823
+ # key to generate a TR-34 WrappedKeyBlock. For more information on TR-34
824
+ # key export, see section [Exporting symmetric keys][1] in the *Amazon
825
+ # Web Services Payment Cryptography User Guide*.
791
826
  #
792
827
  # Set the following parameters:
793
828
  #
794
- # CertificateAuthorityPublicKeyIdentifier
829
+ # * `ExportAttributes`: Specify export attributes in case of IPEK
830
+ # export. This parameter is optional for KEK export.
795
831
  #
796
- # : The `KeyARN` of the certificate chain that will sign the wrapping
797
- # key certificate. This must exist within Amazon Web Services Payment
798
- # Cryptography before you initiate TR-34 key export. If it does not
799
- # exist, you can import it by calling ImportKey for
800
- # `RootCertificatePublicKey`.
832
+ # * `ExportKeyIdentifier`: The `KeyARN` of the KEK or BDK (in case of
833
+ # IPEK) under export.
801
834
  #
802
- # ExportToken
835
+ # * `KeyMaterial`: Use `Tr34KeyBlock` parameters.
803
836
  #
804
- # : Obtained from KDH by calling GetParametersForExport.
837
+ # * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
838
+ # certificate chain that signed the KRD wrapping key certificate.
805
839
  #
806
- # WrappingKeyCertificate
840
+ # * `ExportToken`: Obtained from KDH by calling GetParametersForImport.
807
841
  #
808
- # : Amazon Web Services Payment Cryptography uses this to wrap the key
809
- # under export.
842
+ # * `WrappingKeyCertificate`: The public key certificate in PEM format
843
+ # (base64 encoded) of the KRD wrapping key Amazon Web Services Payment
844
+ # Cryptography uses for encryption of the TR-34 export payload. This
845
+ # certificate must be signed by the root certificate
846
+ # (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web
847
+ # Services Payment Cryptography.
810
848
  #
811
849
  # When this operation is successful, Amazon Web Services Payment
812
- # Cryptography returns the TR-34 wrapped key block.
850
+ # Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.
813
851
  #
814
- # **TR-31 key export**
852
+ # **To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap**
815
853
  #
816
- # Amazon Web Services Payment Cryptography uses TR-31 symmetric key
817
- # exchange standard to export working keys. In TR-31, you must use a
818
- # main key such as KEK to encrypt or wrap the key under export. To
819
- # establish a KEK, you can use CreateKey or ImportKey. When this
820
- # operation is successful, Amazon Web Services Payment Cryptography
821
- # returns a TR-31 wrapped key block.
854
+ # Using this operation, you can export initial key using asymmetric RSA
855
+ # wrap and unwrap key exchange method. To initiate export, generate an
856
+ # asymmetric key pair on the receiving HSM and obtain the public key
857
+ # certificate in PEM format (base64 encoded) for the purpose of wrapping
858
+ # and the root certifiate chain. Import the root certificate into Amazon
859
+ # Web Services Payment Cryptography by calling ImportKey for
860
+ # `RootCertificatePublicKey`.
861
+ #
862
+ # Next call `ExportKey` and set the following parameters:
863
+ #
864
+ # * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
865
+ # certificate chain that signed wrapping key certificate.
866
+ #
867
+ # * `KeyMaterial`: Set to `KeyCryptogram`.
868
+ #
869
+ # * `WrappingKeyCertificate`: The public key certificate in PEM format
870
+ # (base64 encoded) obtained by the receiving HSM and signed by the
871
+ # root certificate (CertificateAuthorityPublicKeyIdentifier) imported
872
+ # into Amazon Web Services Payment Cryptography. The receiving HSM
873
+ # uses its private key component to unwrap the WrappedKeyCryptogram.
874
+ #
875
+ # When this operation is successful, Amazon Web Services Payment
876
+ # Cryptography returns the WrappedKeyCryptogram.
877
+ #
878
+ # **To export working keys or IPEK using TR-31**
879
+ #
880
+ # Using this operation, you can export working keys or IPEK using TR-31
881
+ # symmetric key exchange. In TR-31, you must use an initial key such as
882
+ # KEK to encrypt or wrap the key under export. To establish a KEK, you
883
+ # can use CreateKey or ImportKey.
884
+ #
885
+ # Set the following parameters:
886
+ #
887
+ # * `ExportAttributes`: Specify export attributes in case of IPEK
888
+ # export. This parameter is optional for KEK export.
889
+ #
890
+ # * `ExportKeyIdentifier`: The `KeyARN` of the KEK or BDK (in case of
891
+ # IPEK) under export.
892
+ #
893
+ # * `KeyMaterial`: Use `Tr31KeyBlock` parameters.
894
+ #
895
+ # When this operation is successful, Amazon Web Services Payment
896
+ # Cryptography returns the working key or IPEK as a TR-31
897
+ # WrappedKeyBlock.
822
898
  #
823
899
  # **Cross-account use:** This operation can't be used across different
824
900
  # Amazon Web Services accounts.
@@ -829,6 +905,13 @@ module Aws::PaymentCryptography
829
905
  #
830
906
  # * ImportKey
831
907
  #
908
+ #
909
+ #
910
+ # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-export.html
911
+ #
912
+ # @option params [Types::ExportAttributes] :export_attributes
913
+ # The attributes for IPEK generation during export.
914
+ #
832
915
  # @option params [required, String] :export_key_identifier
833
916
  # The `KeyARN` of the key under export from Amazon Web Services Payment
834
917
  # Cryptography.
@@ -844,8 +927,19 @@ module Aws::PaymentCryptography
844
927
  # @example Request syntax with placeholder values
845
928
  #
846
929
  # resp = client.export_key({
930
+ # export_attributes: {
931
+ # export_dukpt_initial_key: {
932
+ # key_serial_number: "HexLength20Or24", # required
933
+ # },
934
+ # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
935
+ # },
847
936
  # export_key_identifier: "KeyArnOrKeyAliasType", # required
848
937
  # key_material: { # required
938
+ # key_cryptogram: {
939
+ # certificate_authority_public_key_identifier: "KeyArnOrKeyAliasType", # required
940
+ # wrapping_key_certificate: "CertificateType", # required
941
+ # wrapping_spec: "RSA_OAEP_SHA_256", # accepts RSA_OAEP_SHA_256, RSA_OAEP_SHA_512
942
+ # },
849
943
  # tr_31_key_block: {
850
944
  # wrapping_key_identifier: "KeyArnOrKeyAliasType", # required
851
945
  # },
@@ -861,6 +955,8 @@ module Aws::PaymentCryptography
861
955
  #
862
956
  # @example Response structure
863
957
  #
958
+ # resp.wrapped_key.key_check_value #=> String
959
+ # resp.wrapped_key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
864
960
  # resp.wrapped_key.key_material #=> String
865
961
  # resp.wrapped_key.wrapped_key_material_format #=> String, one of "KEY_CRYPTOGRAM", "TR31_KEY_BLOCK", "TR34_KEY_BLOCK"
866
962
  # resp.wrapped_key.wrapping_key_arn #=> String
@@ -964,7 +1060,7 @@ module Aws::PaymentCryptography
964
1060
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
965
1061
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
966
1062
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
967
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1063
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
968
1064
  # resp.key.key_check_value #=> String
969
1065
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
970
1066
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -1008,8 +1104,7 @@ module Aws::PaymentCryptography
1008
1104
  # @option params [required, String] :signing_key_algorithm
1009
1105
  # The signing key algorithm to generate a signing key certificate. This
1010
1106
  # certificate signs the wrapped key under export within the TR-34 key
1011
- # block cryptogram. `RSA_2048` is the only signing key algorithm
1012
- # allowed.
1107
+ # block. `RSA_2048` is the only signing key algorithm allowed.
1013
1108
  #
1014
1109
  # @return [Types::GetParametersForExportOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1015
1110
  #
@@ -1022,7 +1117,7 @@ module Aws::PaymentCryptography
1022
1117
  # @example Request syntax with placeholder values
1023
1118
  #
1024
1119
  # resp = client.get_parameters_for_export({
1025
- # key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE
1120
+ # key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE, KEY_CRYPTOGRAM
1026
1121
  # signing_key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
1027
1122
  # })
1028
1123
  #
@@ -1043,14 +1138,16 @@ module Aws::PaymentCryptography
1043
1138
  req.send_request(options)
1044
1139
  end
1045
1140
 
1046
- # Gets the import token and the wrapping key certificate to initiate a
1047
- # TR-34 key import into Amazon Web Services Payment Cryptography.
1141
+ # Gets the import token and the wrapping key certificate in PEM format
1142
+ # (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA
1143
+ # WrappedKeyCryptogram import into Amazon Web Services Payment
1144
+ # Cryptography.
1048
1145
  #
1049
- # The wrapping key certificate wraps the key under import within the
1050
- # TR-34 key payload. The import token and wrapping key certificate must
1051
- # be in place and operational before calling ImportKey. The import token
1052
- # expires in 7 days. The same import token can be used to import
1053
- # multiple keys into your service account.
1146
+ # The wrapping key certificate wraps the key under import. The import
1147
+ # token and wrapping key certificate must be in place and operational
1148
+ # before calling ImportKey. The import token expires in 7 days. You can
1149
+ # use the same import token to import multiple keys into your service
1150
+ # account.
1054
1151
  #
1055
1152
  # **Cross-account use:** This operation can't be used across different
1056
1153
  # Amazon Web Services accounts.
@@ -1062,14 +1159,21 @@ module Aws::PaymentCryptography
1062
1159
  # * ImportKey
1063
1160
  #
1064
1161
  # @option params [required, String] :key_material_type
1065
- # The key block format type such as TR-34 or TR-31 to use during key
1066
- # material import. Import token is only required for TR-34 key import
1067
- # `TR34_KEY_BLOCK`. Import token is not required for TR-31 key import.
1162
+ # The method to use for key material import. Import token is only
1163
+ # required for TR-34 WrappedKeyBlock (`TR34_KEY_BLOCK`) and RSA
1164
+ # WrappedKeyCryptogram (`KEY_CRYPTOGRAM`).
1165
+ #
1166
+ # Import token is not required for TR-31, root public key cerificate or
1167
+ # trusted public key certificate.
1068
1168
  #
1069
1169
  # @option params [required, String] :wrapping_key_algorithm
1070
1170
  # The wrapping key algorithm to generate a wrapping key certificate.
1071
- # This certificate wraps the key under import within the TR-34 key block
1072
- # cryptogram. `RSA_2048` is the only wrapping key algorithm allowed.
1171
+ # This certificate wraps the key under import.
1172
+ #
1173
+ # At this time, `RSA_2048` is the allowed algorithm for TR-34
1174
+ # WrappedKeyBlock import. Additionally, `RSA_2048`, `RSA_3072`,
1175
+ # `RSA_4096` are the allowed algorithms for RSA WrappedKeyCryptogram
1176
+ # import.
1073
1177
  #
1074
1178
  # @return [Types::GetParametersForImportOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1075
1179
  #
@@ -1082,7 +1186,7 @@ module Aws::PaymentCryptography
1082
1186
  # @example Request syntax with placeholder values
1083
1187
  #
1084
1188
  # resp = client.get_parameters_for_import({
1085
- # key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE
1189
+ # key_material_type: "TR34_KEY_BLOCK", # required, accepts TR34_KEY_BLOCK, TR31_KEY_BLOCK, ROOT_PUBLIC_KEY_CERTIFICATE, TRUSTED_PUBLIC_KEY_CERTIFICATE, KEY_CRYPTOGRAM
1086
1190
  # wrapping_key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
1087
1191
  # })
1088
1192
  #
@@ -1144,29 +1248,41 @@ module Aws::PaymentCryptography
1144
1248
  req.send_request(options)
1145
1249
  end
1146
1250
 
1147
- # Imports keys and public key certificates into Amazon Web Services
1148
- # Payment Cryptography.
1251
+ # Imports symmetric keys and public key certificates in PEM format
1252
+ # (base64 encoded) into Amazon Web Services Payment Cryptography.
1253
+ #
1254
+ # Amazon Web Services Payment Cryptography simplifies key exchange by
1255
+ # replacing the existing paper-based approach with a modern electronic
1256
+ # approach. With `ImportKey` you can import symmetric keys using either
1257
+ # symmetric and asymmetric key exchange mechanisms.
1258
+ #
1259
+ # For symmetric key exchange, Amazon Web Services Payment Cryptography
1260
+ # uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And
1261
+ # for asymmetric key exchange, Amazon Web Services Payment Cryptography
1262
+ # supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange
1263
+ # mechanisms. Asymmetric key exchange methods are typically used to
1264
+ # establish bi-directional trust between the two parties exhanging keys
1265
+ # and are used for initial key exchange such as Key Encryption Key (KEK)
1266
+ # or Zone Master Key (ZMK). After which you can import working keys
1267
+ # using symmetric method to perform various cryptographic operations
1268
+ # within Amazon Web Services Payment Cryptography.
1149
1269
  #
1150
- # Amazon Web Services Payment Cryptography simplifies main or root key
1151
- # exchange process by eliminating the need of a paper-based key exchange
1152
- # process. It takes a modern and secure approach based of the ANSI X9
1153
- # TR-34 key exchange standard.
1270
+ # The TR-34 norm is intended for exchanging 3DES keys only and keys are
1271
+ # imported in a WrappedKeyBlock format. Key attributes (such as
1272
+ # KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained
1273
+ # within the key block. With RSA wrap and unwrap, you can exchange both
1274
+ # 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram
1275
+ # format and you will need to specify the key attributes during import.
1154
1276
  #
1155
- # You can use `ImportKey` to import main or root keys such as KEK (Key
1156
- # Encryption Key) using asymmetric key exchange technique following the
1157
- # ANSI X9 TR-34 standard. The ANSI X9 TR-34 standard uses asymmetric
1158
- # keys to establishes bi-directional trust between the two parties
1159
- # exchanging keys.
1277
+ # You can also import a *root public key certificate*, used to sign
1278
+ # other public key certificates, or a *trusted public key certificate*
1279
+ # under an already established root public key certificate.
1160
1280
  #
1161
- # After you have imported a main or root key, you can import working
1162
- # keys to perform various cryptographic operations within Amazon Web
1163
- # Services Payment Cryptography using the ANSI X9 TR-31 symmetric key
1164
- # exchange standard as mandated by PCI PIN.
1281
+ # **To import a public root key certificate**
1165
1282
  #
1166
- # You can also import a *root public key certificate*, a self-signed
1167
- # certificate used to sign other public key certificates, or a *trusted
1168
- # public key certificate* under an already established root public key
1169
- # certificate.
1283
+ # You can also import a *root public key certificate*, used to sign
1284
+ # other public key certificates, or a *trusted public key certificate*
1285
+ # under an already established root public key certificate.
1170
1286
  #
1171
1287
  # **To import a public root key certificate**
1172
1288
  #
@@ -1186,8 +1302,8 @@ module Aws::PaymentCryptography
1186
1302
  #
1187
1303
  # * `KeyUsage`: `TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE`
1188
1304
  #
1189
- # * `PublicKeyCertificate`: The certificate authority used to sign the
1190
- # root public key certificate.
1305
+ # * `PublicKeyCertificate`: The public key certificate in PEM format
1306
+ # (base64 encoded) of the private root key under import.
1191
1307
  #
1192
1308
  # **To import a trusted public key certificate**
1193
1309
  #
@@ -1204,59 +1320,87 @@ module Aws::PaymentCryptography
1204
1320
  # operations such as wrap, sign, or encrypt that you will allow the
1205
1321
  # trusted public key certificate to perform.
1206
1322
  #
1207
- # * `PublicKeyCertificate`: The certificate authority used to sign the
1208
- # trusted public key certificate.
1323
+ # * `PublicKeyCertificate`: The trusted public key certificate in PEM
1324
+ # format (base64 encoded) under import.
1325
+ #
1326
+ # **To import initial keys (KEK or ZMK or similar) using TR-34**
1327
+ #
1328
+ # Using this operation, you can import initial key using TR-34
1329
+ # asymmetric key exchange. In TR-34 terminology, the sending party of
1330
+ # the key is called Key Distribution Host (KDH) and the receiving party
1331
+ # of the key is called Key Receiving Device (KRD). During the key import
1332
+ # process, KDH is the user who initiates the key import and KRD is
1333
+ # Amazon Web Services Payment Cryptography who receives the key.
1334
+ #
1335
+ # To initiate TR-34 key import, the KDH must obtain an import token by
1336
+ # calling GetParametersForImport. This operation generates an encryption
1337
+ # keypair for the purpose of key import, signs the key and returns back
1338
+ # the wrapping key certificate (also known as KRD wrapping certificate)
1339
+ # and the root certificate chain. The KDH must trust and install the KRD
1340
+ # wrapping certificate on its HSM and use it to encrypt (wrap) the KDH
1341
+ # key during TR-34 WrappedKeyBlock generation. The import token and
1342
+ # associated KRD wrapping certificate expires after 7 days.
1343
+ #
1344
+ # Next the KDH generates a key pair for the purpose of signing the
1345
+ # encrypted KDH key and provides the public certificate of the signing
1346
+ # key to Amazon Web Services Payment Cryptography. The KDH will also
1347
+ # need to import the root certificate chain of the KDH signing
1348
+ # certificate by calling `ImportKey` for `RootCertificatePublicKey`. For
1349
+ # more information on TR-34 key import, see section [Importing symmetric
1350
+ # keys][1] in the *Amazon Web Services Payment Cryptography User Guide*.
1209
1351
  #
1210
- # **Import main keys**
1352
+ # Set the following parameters:
1211
1353
  #
1212
- # Amazon Web Services Payment Cryptography uses TR-34 asymmetric key
1213
- # exchange standard to import main keys such as KEK. In TR-34
1214
- # terminology, the sending party of the key is called Key Distribution
1215
- # Host (KDH) and the receiving party of the key is called Key Receiving
1216
- # Host (KRH). During the key import process, KDH is the user who
1217
- # initiates the key import and KRH is Amazon Web Services Payment
1218
- # Cryptography who receives the key. Before initiating TR-34 key import,
1219
- # you must obtain an import token by calling GetParametersForImport.
1220
- # This operation also returns the wrapping key certificate that KDH uses
1221
- # wrap key under import to generate a TR-34 wrapped key block. The
1222
- # import token expires after 7 days.
1354
+ # * `KeyMaterial`: Use `Tr34KeyBlock` parameters.
1223
1355
  #
1224
- # Set the following parameters:
1356
+ # * `CertificateAuthorityPublicKeyIdentifier`: The `KeyARN` of the
1357
+ # certificate chain that signed the KDH signing key certificate.
1225
1358
  #
1226
- # * `CertificateAuthorityPublicKeyIdentifier`: The `KeyArn` of the
1227
- # certificate chain that will sign the signing key certificate and
1228
- # should exist within Amazon Web Services Payment Cryptography before
1229
- # initiating TR-34 key import. If it does not exist, you can import it
1230
- # by calling by calling `ImportKey` for `RootCertificatePublicKey`.
1359
+ # * `ImportToken`: Obtained from KRD by calling GetParametersForImport.
1231
1360
  #
1232
- # * `ImportToken`: Obtained from KRH by calling GetParametersForImport.
1361
+ # * `WrappedKeyBlock`: The TR-34 wrapped key material from KDH. It
1362
+ # contains the KDH key under import, wrapped with KRD wrapping
1363
+ # certificate and signed by KDH signing private key. This TR-34 key
1364
+ # block is typically generated by the KDH Hardware Security Module
1365
+ # (HSM) outside of Amazon Web Services Payment Cryptography.
1233
1366
  #
1234
- # * `WrappedKeyBlock`: The TR-34 wrapped key block from KDH. It contains
1235
- # the KDH key under import, wrapped with KRH provided wrapping key
1236
- # certificate and signed by the KDH private signing key. This TR-34
1237
- # key block is generated by the KDH Hardware Security Module (HSM)
1238
- # outside of Amazon Web Services Payment Cryptography.
1367
+ # * `SigningKeyCertificate`: The public key certificate in PEM format
1368
+ # (base64 encoded) of the KDH signing key generated under the root
1369
+ # certificate (CertificateAuthorityPublicKeyIdentifier) imported in
1370
+ # Amazon Web Services Payment Cryptography.
1239
1371
  #
1240
- # * `SigningKeyCertificate`: The public component of the private key
1241
- # that signed the KDH TR-34 wrapped key block. In PEM certificate
1242
- # format.
1372
+ # **To import initial keys (KEK or ZMK or similar) using RSA Wrap and
1373
+ # Unwrap**
1243
1374
  #
1244
- # <note markdown="1"> TR-34 is intended primarily to exchange 3DES keys. Your ability to
1245
- # export AES-128 and larger AES keys may be dependent on your source
1246
- # system.
1375
+ # Using this operation, you can import initial key using asymmetric RSA
1376
+ # wrap and unwrap key exchange method. To initiate import, call
1377
+ # GetParametersForImport with `KeyMaterial` set to `KEY_CRYPTOGRAM` to
1378
+ # generate an import token. This operation also generates an encryption
1379
+ # keypair for the purpose of key import, signs the key and returns back
1380
+ # the wrapping key certificate in PEM format (base64 encoded) and its
1381
+ # root certificate chain. The import token and associated KRD wrapping
1382
+ # certificate expires after 7 days.
1247
1383
  #
1248
- # </note>
1384
+ # You must trust and install the wrapping certificate and its
1385
+ # certificate chain on the sending HSM and use it to wrap the key under
1386
+ # export for WrappedKeyCryptogram generation. Next call `ImportKey` with
1387
+ # `KeyMaterial` set to `KEY_CRYPTOGRAM` and provide the `ImportToken`
1388
+ # and `KeyAttributes` for the key under import.
1249
1389
  #
1250
- # **Import working keys**
1390
+ # **To import working keys using TR-31**
1251
1391
  #
1252
1392
  # Amazon Web Services Payment Cryptography uses TR-31 symmetric key
1253
- # exchange standard to import working keys. A KEK must be established
1254
- # within Amazon Web Services Payment Cryptography by using TR-34 key
1255
- # import. To initiate a TR-31 key import, set the following parameters:
1393
+ # exchange norm to import working keys. A KEK must be established within
1394
+ # Amazon Web Services Payment Cryptography by using TR-34 key import or
1395
+ # by using CreateKey. To initiate a TR-31 key import, set the following
1396
+ # parameters:
1256
1397
  #
1257
- # * `WrappedKeyBlock`: The key under import and encrypted using KEK. The
1258
- # TR-31 key block generated by your HSM outside of Amazon Web Services
1259
- # Payment Cryptography.
1398
+ # * `KeyMaterial`: Use `Tr31KeyBlock` parameters.
1399
+ #
1400
+ # * `WrappedKeyBlock`: The TR-31 wrapped key material. It contains the
1401
+ # key under import, encrypted using KEK. The TR-31 key block is
1402
+ # typically generated by a HSM outside of Amazon Web Services Payment
1403
+ # Cryptography.
1260
1404
  #
1261
1405
  # * `WrappingKeyIdentifier`: The `KeyArn` of the KEK that Amazon Web
1262
1406
  # Services Payment Cryptography uses to decrypt or unwrap the key
@@ -1271,41 +1415,45 @@ module Aws::PaymentCryptography
1271
1415
  #
1272
1416
  # * GetParametersForImport
1273
1417
  #
1418
+ #
1419
+ #
1420
+ # [1]: https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-import.html
1421
+ #
1274
1422
  # @option params [Boolean] :enabled
1275
1423
  # Specifies whether import key is enabled.
1276
1424
  #
1277
1425
  # @option params [String] :key_check_value_algorithm
1278
1426
  # The algorithm that Amazon Web Services Payment Cryptography uses to
1279
- # calculate the key check value (KCV) for DES and AES keys.
1427
+ # calculate the key check value (KCV). It is used to validate the key
1428
+ # integrity.
1280
1429
  #
1281
- # For DES key, the KCV is computed by encrypting 8 bytes, each with
1282
- # value '00', with the key to be checked and retaining the 3 highest
1283
- # order bytes of the encrypted result. For AES key, the KCV is computed
1284
- # by encrypting 8 bytes, each with value '01', with the key to be
1285
- # checked and retaining the 3 highest order bytes of the encrypted
1286
- # result.
1430
+ # For TDES keys, the KCV is computed by encrypting 8 bytes, each with
1431
+ # value of zero, with the key to be checked and retaining the 3 highest
1432
+ # order bytes of the encrypted result. For AES keys, the KCV is computed
1433
+ # using a CMAC algorithm where the input data is 16 bytes of zero and
1434
+ # retaining the 3 highest order bytes of the encrypted result.
1287
1435
  #
1288
1436
  # @option params [required, Types::ImportKeyMaterial] :key_material
1289
1437
  # The key or public key certificate type to use during key material
1290
1438
  # import, for example TR-34 or RootCertificatePublicKey.
1291
1439
  #
1292
1440
  # @option params [Array<Types::Tag>] :tags
1293
- # The tags to attach to the key. Each tag consists of a tag key and a
1294
- # tag value. Both the tag key and the tag value are required, but the
1295
- # tag value can be an empty (null) string. You can't have more than one
1296
- # tag on an Amazon Web Services Payment Cryptography key with the same
1297
- # tag key.
1298
- #
1299
- # You can't have more than one tag on an Amazon Web Services Payment
1300
- # Cryptography key with the same tag key. If you specify an existing tag
1301
- # key with a different tag value, Amazon Web Services Payment
1302
- # Cryptography replaces the current tag value with the specified one.
1303
- #
1304
- # To use this parameter, you must have `TagResource` permission.
1305
- #
1306
- # Don't include confidential or sensitive information in this field.
1307
- # This field may be displayed in plaintext in CloudTrail logs and other
1308
- # output.
1441
+ # Assigns one or more tags to the Amazon Web Services Payment
1442
+ # Cryptography key. Use this parameter to tag a key when it is imported.
1443
+ # To tag an existing Amazon Web Services Payment Cryptography key, use
1444
+ # the TagResource operation.
1445
+ #
1446
+ # Each tag consists of a tag key and a tag value. Both the tag key and
1447
+ # the tag value are required, but the tag value can be an empty (null)
1448
+ # string. You can't have more than one tag on an Amazon Web Services
1449
+ # Payment Cryptography key with the same tag key. If you specify an
1450
+ # existing tag key with a different tag value, Amazon Web Services
1451
+ # Payment Cryptography replaces the current tag value with the specified
1452
+ # one.
1453
+ #
1454
+ # Don't include personal, confidential or sensitive information in this
1455
+ # field. This field may be displayed in plaintext in CloudTrail logs and
1456
+ # other output.
1309
1457
  #
1310
1458
  # <note markdown="1"> Tagging or untagging an Amazon Web Services Payment Cryptography key
1311
1459
  # can allow or deny permission to the key.
@@ -1322,6 +1470,28 @@ module Aws::PaymentCryptography
1322
1470
  # enabled: false,
1323
1471
  # key_check_value_algorithm: "CMAC", # accepts CMAC, ANSI_X9_24
1324
1472
  # key_material: { # required
1473
+ # key_cryptogram: {
1474
+ # exportable: false, # required
1475
+ # import_token: "ImportTokenId", # required
1476
+ # key_attributes: { # required
1477
+ # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
1478
+ # key_class: "SYMMETRIC_KEY", # required, accepts SYMMETRIC_KEY, ASYMMETRIC_KEY_PAIR, PRIVATE_KEY, PUBLIC_KEY
1479
+ # key_modes_of_use: { # required
1480
+ # decrypt: false,
1481
+ # derive_key: false,
1482
+ # encrypt: false,
1483
+ # generate: false,
1484
+ # no_restrictions: false,
1485
+ # sign: false,
1486
+ # unwrap: false,
1487
+ # verify: false,
1488
+ # wrap: false,
1489
+ # },
1490
+ # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
1491
+ # },
1492
+ # wrapped_key_cryptogram: "WrappedKeyCryptogram", # required
1493
+ # wrapping_spec: "RSA_OAEP_SHA_256", # accepts RSA_OAEP_SHA_256, RSA_OAEP_SHA_512
1494
+ # },
1325
1495
  # root_certificate_public_key: {
1326
1496
  # key_attributes: { # required
1327
1497
  # key_algorithm: "TDES_2KEY", # required, accepts TDES_2KEY, TDES_3KEY, AES_128, AES_192, AES_256, RSA_2048, RSA_3072, RSA_4096
@@ -1337,7 +1507,7 @@ module Aws::PaymentCryptography
1337
1507
  # verify: false,
1338
1508
  # wrap: false,
1339
1509
  # },
1340
- # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
1510
+ # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
1341
1511
  # },
1342
1512
  # public_key_certificate: "CertificateType", # required
1343
1513
  # },
@@ -1369,7 +1539,7 @@ module Aws::PaymentCryptography
1369
1539
  # verify: false,
1370
1540
  # wrap: false,
1371
1541
  # },
1372
- # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
1542
+ # key_usage: "TR31_B0_BASE_DERIVATION_KEY", # required, accepts TR31_B0_BASE_DERIVATION_KEY, TR31_C0_CARD_VERIFICATION_KEY, TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY, TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION, TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS, TR31_E1_EMV_MKEY_CONFIDENTIALITY, TR31_E2_EMV_MKEY_INTEGRITY, TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS, TR31_E5_EMV_MKEY_CARD_PERSONALIZATION, TR31_E6_EMV_MKEY_OTHER, TR31_K0_KEY_ENCRYPTION_KEY, TR31_K1_KEY_BLOCK_PROTECTION_KEY, TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT, TR31_M3_ISO_9797_3_MAC_KEY, TR31_M1_ISO_9797_1_MAC_KEY, TR31_M6_ISO_9797_5_CMAC_KEY, TR31_M7_HMAC_KEY, TR31_P0_PIN_ENCRYPTION_KEY, TR31_P1_PIN_GENERATION_KEY, TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE, TR31_V1_IBM3624_PIN_VERIFICATION_KEY, TR31_V2_VISA_PIN_VERIFICATION_KEY, TR31_K2_TR34_ASYMMETRIC_KEY
1373
1543
  # },
1374
1544
  # public_key_certificate: "CertificateType", # required
1375
1545
  # },
@@ -1401,7 +1571,7 @@ module Aws::PaymentCryptography
1401
1571
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
1402
1572
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
1403
1573
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
1404
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1574
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1405
1575
  # resp.key.key_check_value #=> String
1406
1576
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
1407
1577
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -1521,6 +1691,9 @@ module Aws::PaymentCryptography
1521
1691
  # does not return more than the specified number of items, but it might
1522
1692
  # return fewer.
1523
1693
  #
1694
+ # This value is optional. If you include a value, it must be between 1
1695
+ # and 100, inclusive. If you do not include a value, it defaults to 50.
1696
+ #
1524
1697
  # @option params [String] :next_token
1525
1698
  # Use this parameter in a subsequent request after you receive a
1526
1699
  # response with truncated results. Set it to the value of `NextToken`
@@ -1558,7 +1731,7 @@ module Aws::PaymentCryptography
1558
1731
  # resp.keys[0].key_attributes.key_modes_of_use.unwrap #=> Boolean
1559
1732
  # resp.keys[0].key_attributes.key_modes_of_use.verify #=> Boolean
1560
1733
  # resp.keys[0].key_attributes.key_modes_of_use.wrap #=> Boolean
1561
- # resp.keys[0].key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1734
+ # resp.keys[0].key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1562
1735
  # resp.keys[0].key_check_value #=> String
1563
1736
  # resp.keys[0].key_state #=> String, one of "CREATE_IN_PROGRESS", "CREATE_COMPLETE", "DELETE_PENDING", "DELETE_COMPLETE"
1564
1737
  # resp.next_token #=> String
@@ -1596,6 +1769,9 @@ module Aws::PaymentCryptography
1596
1769
  # does not return more than the specified number of items, but it might
1597
1770
  # return fewer.
1598
1771
  #
1772
+ # This value is optional. If you include a value, it must be between 1
1773
+ # and 100, inclusive. If you do not include a value, it defaults to 50.
1774
+ #
1599
1775
  # @option params [String] :next_token
1600
1776
  # Use this parameter in a subsequent request after you receive a
1601
1777
  # response with truncated results. Set it to the value of `NextToken`
@@ -1688,7 +1864,7 @@ module Aws::PaymentCryptography
1688
1864
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
1689
1865
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
1690
1866
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
1691
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1867
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1692
1868
  # resp.key.key_check_value #=> String
1693
1869
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
1694
1870
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -1750,7 +1926,7 @@ module Aws::PaymentCryptography
1750
1926
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
1751
1927
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
1752
1928
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
1753
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1929
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1754
1930
  # resp.key.key_check_value #=> String
1755
1931
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
1756
1932
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -1814,7 +1990,7 @@ module Aws::PaymentCryptography
1814
1990
  # resp.key.key_attributes.key_modes_of_use.unwrap #=> Boolean
1815
1991
  # resp.key.key_attributes.key_modes_of_use.verify #=> Boolean
1816
1992
  # resp.key.key_attributes.key_modes_of_use.wrap #=> Boolean
1817
- # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1993
+ # resp.key.key_attributes.key_usage #=> String, one of "TR31_B0_BASE_DERIVATION_KEY", "TR31_C0_CARD_VERIFICATION_KEY", "TR31_D0_SYMMETRIC_DATA_ENCRYPTION_KEY", "TR31_D1_ASYMMETRIC_KEY_FOR_DATA_ENCRYPTION", "TR31_E0_EMV_MKEY_APP_CRYPTOGRAMS", "TR31_E1_EMV_MKEY_CONFIDENTIALITY", "TR31_E2_EMV_MKEY_INTEGRITY", "TR31_E4_EMV_MKEY_DYNAMIC_NUMBERS", "TR31_E5_EMV_MKEY_CARD_PERSONALIZATION", "TR31_E6_EMV_MKEY_OTHER", "TR31_K0_KEY_ENCRYPTION_KEY", "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", "TR31_P1_PIN_GENERATION_KEY", "TR31_S0_ASYMMETRIC_KEY_FOR_DIGITAL_SIGNATURE", "TR31_V1_IBM3624_PIN_VERIFICATION_KEY", "TR31_V2_VISA_PIN_VERIFICATION_KEY", "TR31_K2_TR34_ASYMMETRIC_KEY"
1818
1994
  # resp.key.key_check_value #=> String
1819
1995
  # resp.key.key_check_value_algorithm #=> String, one of "CMAC", "ANSI_X9_24"
1820
1996
  # resp.key.key_origin #=> String, one of "EXTERNAL", "AWS_PAYMENT_CRYPTOGRAPHY"
@@ -1865,16 +2041,16 @@ module Aws::PaymentCryptography
1865
2041
  # value, Amazon Web Services Payment Cryptography replaces the current
1866
2042
  # tag value with the new one.
1867
2043
  #
1868
- # Don't include confidential or sensitive information in this field.
1869
- # This field may be displayed in plaintext in CloudTrail logs and other
1870
- # output.
2044
+ # Don't include personal, confidential or sensitive information in this
2045
+ # field. This field may be displayed in plaintext in CloudTrail logs and
2046
+ # other output.
1871
2047
  #
1872
2048
  # To use this parameter, you must have TagResource permission in an IAM
1873
2049
  # policy.
1874
2050
  #
1875
- # Don't include confidential or sensitive information in this field.
1876
- # This field may be displayed in plaintext in CloudTrail logs and other
1877
- # output.
2051
+ # Don't include personal, confidential or sensitive information in this
2052
+ # field. This field may be displayed in plaintext in CloudTrail logs and
2053
+ # other output.
1878
2054
  #
1879
2055
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1880
2056
  #
@@ -2009,7 +2185,7 @@ module Aws::PaymentCryptography
2009
2185
  params: params,
2010
2186
  config: config)
2011
2187
  context[:gem_name] = 'aws-sdk-paymentcryptography'
2012
- context[:gem_version] = '1.8.0'
2188
+ context[:gem_version] = '1.10.0'
2013
2189
  Seahorse::Client::Request.new(handlers, context)
2014
2190
  end
2015
2191